by 安全扫描
OpenClaw
安全
medium confidenceThe skill is an instruction-only API hardening playbook whose requested footprint (no installs, no credentials) matches its stated purpose, but treat any automated code edits or pasted source with normal caution.
评估建议
This is an instruction-only hardening playbook (no downloads, no env keys requested). It's internally consistent and useful for auditing API code, but follow these precautions before using it: (1) Do not paste secrets, .env files, or private keys into prompts—only share code you are comfortable exposing to the agent. (2) Treat suggested code changes as recommendations: review them, run tests, and stage changes in a dev environment before deploying. (3) If the skill recommends third-party service...详细分析 ▾
✓ 用途与能力
The name/description promise (hardening API endpoints) matches the SKILL.md: a comprehensive checklist and many language-specific code examples for rate limiting, input validation, auth, CORS, headers, injection prevention, error handling, and monitoring. There are no unrelated environment variables, binaries, or installs requested.
ℹ 指令范围
The skill instructs the agent to analyze API code (routes, controllers, middleware, configs) and produce before/after fixes. That is appropriate for the stated purpose, but it means the agent will need access to your source code when invoked — do not submit secrets, private keys, or production-only env files. The instructions do not, as presented, direct the agent to exfiltrate data or call unexpected external endpoints, but you should review recommended changes before applying them.
✓ 安装机制
No install spec or code files are present (instruction-only). This is low-risk because nothing will be written to disk by the skill itself.
ℹ 凭证需求
The skill requests no environment variables or credentials. It mentions integration patterns (e.g., Redis for distributed rate limits, logging/monitoring) in examples but does not require any secrets. This is proportionate to an audit/playbook style skill; still be cautious when following suggestions that ask you to provision or connect third-party services.
✓ 持久化与权限
always is false and there are no instructions to modify other skills or global agent configs. Normal autonomous invocation is allowed (platform default). The skill does not request permanent presence or elevated privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/23
Initial public release of sovereign-api-hardener. - Provides a comprehensive checklist and code patterns for API hardening. - Covers rate limiting, input validation, authentication, CORS, security headers, injection prevention, error handling, and monitoring. - Designed for practical, actionable defense against real-world API attacks. - Includes implementation examples for Express.js, Flask, and Go. - Offers clear security requirements, validation schemas, and recommended configurations.
● 无害
安装命令
点击复制官方npx clawhub@latest install sovereign-api-hardener
镜像加速npx clawhub@latest install sovereign-api-hardener --registry https://cn.longxiaskill.com